Tuesday, July 31, 2012

Compliance In The Cloud Era–New Pressures

Interesting article in Information Week going over the results where they surveyed 422 business technology professionals about compliance. Not surprising one of the top technologies identified to aid in compliance was identity management.

ScreenHunter_03 Jul. 31 11.41

The image above – from the article – is interesting. A whole 6% of businesses will use the cloud regardless of compliance concerns. The other 94% of the businesses – according to the graphic – either won’t put data in the cloud that is subject to compliance or need to assure themselves that they’d remain compliant. I hate to be glass “half-empty” but one could read that as 94% of respondents won’t risk the cloud for data subject to compliance.

With all of the hype around privileged account management it is interesting to see that there are nearly no vendors that support PAM for cloud service providers. Also, the same goes for both discovery of data in the cloud that might be subject to compliance regulations (e.g. an Excel spreadsheet with social security numbers in an Office 365 document) and data loss protection (DLP) solutions.

So either a lot of companies (i.e., more than 6% noted in the graphic) are just doing it or they are leveraging private clouds. But, if they are leveraging private clouds they still have issues managing privileged accounts and discovery/DLP.

Yes, the cloud is generating new pressures.

Monday, July 16, 2012

Yahoo’s Unbelievable Lapse

Well, the title in this article says it all and if you’re like me you probably still can’t believe it.

The error that led to the breach of nearly half a million user passwords from Yahoo was so basic, that the security expert who first spotted it didn’t  believe it. “When I first looked at it, I thought it was fake because there’s no way Yahoo would store 450,000 passwords in the clear”

That being said, I’ll remind everyone that Google has a similar faux-pas in 2008. For a quick refresher on that incident check out my blog entry from then: http://jacksonshaw.blogspot.com/2008/09/google-age-and-single-sign-on.html. And, as quoted then:

As an industry we shouldn’t be making the kinds of mistakes we made 15 or 20 years ago.

Well, it seems we’re still making those kind of mistakes. What Yahoo allowed to happen is not only unbelievable but unconscionable. There’s a good article on creating strong passwords but does having a strong password really matter if the password is stored in clear-text on a back-end server somewhere? If some of this doesn’t push us to better use and better integrate two-factor authentication into our lives I am not sure what will.

In the meantime, I’ll go and change my Yahoo password…

Technorati Tags: ,,

Tuesday, July 03, 2012

There’s a lot of 10 year Active Directory anniversaries happening

I spend a lot of time talking to customers. I wish I could spend more because you really do get a view into their world, their problems and their priorities. My uber-goal is to try to amalgamate those customer visits and see trends that provide me insight into the overall market.

One trend that I have started to see is the number of customers that have been telling me that their Active Directory design and architecture is more than 10 years old and they’ve decided it’s time for an overhaul.

Do you remember what we are all first told by Microsoft about Active Directory security architecture? Here it is: A domain is the security boundary in AD.” Then, we were told: “Ooops, a domain isn’t the security boundary in AD. A forest is the security boundary.” So what ended up happening is a lot of companies – especially banks and multi-nationals – architected and deployed their Active Directory with multiple forests. Now the “ooops” has come back to haunt them.

Many companies have found that managing multiple forests is a pain in the butt. What’s worse is that with the advent of the cloud and things like federation and Office 365 there are scenarios where having multiple forests really, really complicates things. So many customers are working at reducing the number of forests in their environment and also reducing the number of domains while they are at it. In fact, I met one multi-forest, multi-national bank that simply decided to start over from scratch: They set up a brand new single forest and are migrating over to it. (Aside: that same customer already had 5, yes 5, IAM platforms in use. Amazing!)

Is it time for your 100,000 mile/10 year engine overhaul? If so, we have a great tool to help you called Quest Migration Manager for Active Directory. It has 10 years of experience helping customers through these exact scenarios.

The Sad World of Passwords: Is X.500 the answer?

Martin Kuppinger commented on both John and my posts on this topic. Martin, as usual, added some pretty good meat to the discussion. There’s a couple of points I wanted to emphasize that I thought were particularly important:

  • We also know that user acceptance is key to success

This is possibly the #1 issue to security in general. It has to be easy for the user. Ever forget your car keys somewhere? Have to go downstairs to get your wallet so you can get your credit card number to complete an order on a machine upstairs? That type of inconvenience is difficult to overcome around security. I am not convinced that NFC is the panacea here either. I’m sure it’ll be awesome if you happen to have your NFC device at-hand, charged and ready to go.

  • Trust frameworks will be dealing with the complexity of having many IdPs

Hmmm, communication between multiple IdPs? Maybe we’ll need to have a master IdP in each country responsible for “chaining” these transactions to lower-level IdPs and communicating between country-level IdPs? Might we need referrals between these IdPs? What about caching? Shades of X.500!

Yes, I remember how successful X.500 was: At the Interop conference in Atlanta in 1995 an attendee came up to me at the Zoomit booth and said: “How do you speed up things 500 times?” That’s when I knew it was time to move on.

Yes, this will be complicated…

Monday, July 02, 2012

Vulnerability in SCEP? Watch out mobile devices!

Mark Diodati over at Gartner just blogged about a vulnerability in the Simple Certificate Exchange Protocol.

This vulnerability—when combined with two additional pieces of information—enables an attacker to impersonate another user when enrolling for an X.509 certificate.

This is pretty significant because many portals are using SCEP to enroll mobile devices. A certificate is downloaded to the mobile device (usually) after the end-user has authenticated for the first time with the device to the corporate portal. This enables the corporate portal and sometimes Active Directory to start managing the device. It’s a big deal for Bring Your Own Device (BYOD) and it is a big deal around security generally even if you aren’t concerned about BYOD.

Many organizations rely upon certificates for mobile access to the internal network, email, SharePoint, virtual desktops, web applications—you name it. The attacker can impersonate an authorized user and gain unauthorized access to these applications.

This is just another reason why step-up or adaptive authentication is an important aspect of security. Same goes for adaptive authorization once you’re in.

We can no longer rely on a one-time challenge for entry thru the castle walls. We must build in multiple layers of security that force different methods of authentication at different times while you are in the castle. You want to access the treasure room? Who are you again?

It won’t be enough “to perform better user proofing prior to certificate issuance” as Mark says. That will help but we are all going to need to get used to more “Halt! Who goes there?” challenges even after we get thru the castle door.

Counting Quest Defender Tokens

A customer wrote a PowerShell script to perform this task. I've cut-and-paste the PoSh script from his original post below in case you’re interested…

Thank you Mr. Torr!

Technorati Tags: ,,

# Author: Darin Torr
# Contact: darin@colorado2cambodia.com
# This script connects to Quest Defender Reporting Console then parses the xml
# to extract token license counts and emails results
# Current Version: v1.1
# Version History
# 5/06/2012 – v1 – Initial Revision.
# 5/06/2012 -v1.1 – Added html and xml file cleanup on report server

# // Uncomment this to create secure password
#$secureString = Read-Host -AsSecureString
#ConvertFrom-SecureString $secureString | out-file c:\encrypted.txt
#$secure = gc C:\encrypted.txt | ConvertTo-SecureString

# // This is to clean up any old xml and html files from running reports
$reporthtml = “C:\Program Files (x86)\Quest Software\Defender\Defender Report Console\downloads\html\*.html”
$reportxml = “C:\Program Files (x86)\Quest Software\Defender\Defender Report Console\downloads\*.xml”
if (Test-Path $reporthtml)
Remove-item $reporthtml
if (Test-Path $reportxml)
Remove-item $reportxml

# // Change to reflect your servername
$url = “http://server/cgi-bin/d5dsslicensereport.exe?mode=0&xsl=d5licensereport.xsl”
# // create a request
[Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
$req.Method = “GET”
$req.Timeout = 600000 # = 10 minutes

# // Set if you need a username/password to access the resource
$secure = gc C:\encrypted.txt | ConvertTo-SecureString;
$UserName = “domain\username”;
$req.Credentials = New-Object System.Management.Automation.PSCredential($UserName, $secure);

# // Reading data from page
[Net.HttpWebResponse] $result = $req.GetResponse()
[IO.Stream] $stream = $result.GetResponseStream()
[IO.StreamReader] $reader = New-Object IO.StreamReader($stream)
[string] $output = $reader.readToEnd()
$output | out-null
[xml]$defxml = $output
$final = $defxml.defender_license.desktop_license | select Type,Assigned,Allocation | ConvertTo-Html
function SendMail
#Mail Variables
$EmailFrom = “who@ever.com>”
$EmailSubject = “Daily Defender Token Count”
$smtpServer = “relay”
$SendTo = “you@yours.com”
$date = (Get-Date -format “MM-dd-yyyy”)

$mailmessage = New-Object system.net.mail.mailmessage

############## MAIL BODY #############

# Update body with any text you want and variables # #

$body = “
<lang=EN-US link=blue vlink=purple><div><p>
<span style=font-size:10.0pt;font-family:tahoma,sans-serif;color:#595959>
<dd><p><b>Defender Token count as of $date </b>
<p><pre style=font-size:10.0pt;font-family:tahoma,sans-serif;color:black> $final <b style=color:red></b></pre>
#Mail info
$mailmessage.from = $emailfrom
$mailmessage.Subject = $emailsubject
$mailmessage.Body = $body
$mailmessage.IsBodyHTML = $true
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)